Information Security Risk Assessment Methodology An Information security risk assessment should take into account system-level risk (inclusive of applications and systems) and process-level risk (inclusive of the components of an information security program). Once the risk rating is established for each application and each component of the system, the dimension(s) of risk should be assigned to each. The minimum dimensions of risk should include the following: Compliance risk. Maintaining legal compliance with various appropriate regulations as well as compliance with the organization s various governance guidelines and policies. Transaction/Financial risk. Impacting earnings, cash flow, revenue or capital due to problems with or interruptions in service or product delivery. Operational risk. The risk of loss resulting from inadequate or failed internal processes, people and systems or from external events. Reputational risk. Developing and retaining marketplace confidence in handling customers financial transactions in an appropriate manner, within an acceptable time frame, as well as meeting the emerging needs of the customer base and community, which are important to protecting the safety and soundness of the Institution. More than one dimension of risk can apply to an application or process. For example, the lack of a vendor management program can result in Operational and Compliance Risk. It could also potentially result in Reputational risk if the vendor is breached and Financial/Transaction Risk if the service that the vendor provides is interrupted for a significant amount of time and prohibits the bank from account generating revenue (account opening, loan products, wire transfers, etc.) System-level Risk Definitions Technologies identified as having high levels of aggregate risk typically require immediate attention while those with moderate or low aggregate risk require continued execution of current risk management practices. Threat Index is based on the threats and vulnerabilities facing the system. A threat does not present a risk when there is no vulnerability that can be exercised (think of a standalone system used for a specific application that is not connected to the bank s network or internet.) Threat is defined as a potential to exercise a specific vulnerability. Vulnerability is defined as a flaw or weakness in system security procedures, design, implementation, or internal controls that could be exercised (accidentally triggered or intentionally exploited) and result in a security breach or a violation of the bank s security policy.
When NPPI (non-public personal information) or PII (personally identifiable information) is present within an application or processed or transmitted by or through a system or data transport, it carries a higher inherent risk rating due to the nature of the data and the fact that it becomes a target for hackers. In these types of applications and systems, controls should typically be stronger, more complex and multi-layered. An outsourced application or system is typically lower risk than the same application that is managed inhouse because the vendor that provides the outsourced service or product typically has a larger number of staff with more specialized skillsets to operate/monitor the service and the controls required to protect it. Ratings for Threat Level The risk of attack to this system is very. Factors affecting this rating could be limited access to the system in question, minor value of stored data or due to technical obscurity which limits the number of potential attackers with an understanding of the system. Vulnerabilities are not trivial and require an expert level of technology and exploit practices to compromise. Moderate The risk of attack to this system is Moderate. Factors affecting this rating could be remote accessibility of the system over the organization s internal network and uses well known technology for which there are readily available attack tools. Knowledge of the system is widespread and as a result there is a large pool of potential attackers. The vulnerabilities are not trivial however and will require a deeper knowledge of technology and exploit practices to compromise. The risk of attack to this system is extremely. Factors affecting the rating could be that the system is publicly accessible from the Internet or other public networks and uses well known technology for which there are readily available attack tools. Security controls are extremely weak and can the vulnerabilities can definitely be compromised by an attacker with limited skill or knowledge. Ratings for Impact Level These ratings are based on the business impact to the organization resulting from a breach in security. This breach could allow unauthorized access to information on the system. A security breach, or act of nature, could damage or destroy the system so that it cannot perform its intended functions. A security breach on this system would cause minimal impact to the organization or its customers. It would affect a small number of persons or would impact a non-essential business process.
Moderate A security breach on this system would cause moderate impact to the organization or its customers. It would affect a moderate number of persons or would impact an essential business process. A security breach on this system would cause significant impact to the organization or its customers. It would affect a large number of persons or would impact a critical business process. Criticality This defines the overall criticality of the system to the bank s operations. A system may be categorized at a, Medium or a level based on its importance to the bank. This takes into account if NPPI resides or processed through the system and how critical a system is to the bank s normal day-to-day business. A loss or interruption of services has minimal or no effect on the operations of the bank Moderate A loss or interruption of services for an extended period of time limits the functions or services that the bank can provide to its employees and/or members and might cause financial loss. A loss of the system or interruption of services for an extended period of time is mission critical and may require a business continuity plan to be activated Controls Risk Security controls inhibit the attempts to violate security policy and provide protection against system compromises. These controls encompass the use of technical and non-technical methods including identification and authentication mechanisms, security policies, operational procedures, audit facilities and encryption methods. Further, controls can be Preventative or Detective in nature. The risks facing the bank due to the effectiveness (or ineffectiveness) of the control framework is defined as Controls Risk The defined control framework is appropriate for the bank in light of the Threat Index and the overall risk to the bank is sufficiently controlled. Further, the defined controls are in existence and working properly. Moderate There is evidence of control practices that appear to mitigate some of the technology risks. Factors affecting the rating could be the fact that some controls are effective, while other controls are not or are missing.
The defined control framework is ineffective in light of the Threat Index on a particular system. There is little or no evidence of control practices. The control framework does not provide the requisite protection against the identified threats and vulnerabilities. This defines the overall Vulnerability of the bank s systems and applications to Threats after assessing the controls. A system may be categorized at a, Moderate or a level based upon the profile of the system including whether NPPI resides on or is processed through the system, whether that system is outsourced, the threat to the system (is it internet-facing), how critical a system is to the bank s normal day-to-day business and the impact of a breach or interruption in service. : controls meet Best Practices or exceed minimum requirements based upon the combination of Existence of NPPI, whether it s outsourced, the Threat level, Criticality and Impact to the bank and its members Moderate: controls meet minimum requirements based upon the combination of Existence of NPPI, Threat level, Criticality and Impact to the bank and its members : controls are lacking or highly insufficient based upon the combination of Existence of NPPI, Threat level, Criticality and Impact to the bank and its members Example: Conducting a risk assessment on a web-based payroll system would produce the result in the table. Assume that the application is internet-facing, outsourced, NPPI is transmitted to and stored at the service provider. Criticality is MODERATE since the pay cycle is twice monthly and the bank can write physical checks for the employees or pay via ACH if the vendor s system is unavailable. Controls that are in place include the following: Only 2 staff members from the bank s HR dept have access to the application. It requires multifactor authentication. It requires a token. Password is complex & strong requiring 10 characters, 1 Uppercase, 1 Numeric and 1 Special character. Data is transmitted via a secure VPN. Application Name Webbased Payroll Outsourced NPPI Threat Index Criticality Impact Controls Risk Y Y H M H L L
Here s the same scenario with a different set of controls: Conducting a risk assessment on a web-based payroll system would produce the result in the table. Assume that the application is internet-facing, outsourced, NPPI is transmitted to and stored at the service provider. Criticality is MODERATE since the pay cycle is twice monthly and the bank can write physical checks for the employees or pay via ACH if the vendor s system is unavailable. Controls that are in place include the following: Only 2 staff members from the bank s HR dept have access to the application. Password is strong, requiring 8 characters including 1 Uppercase & 1 numeric. Data is transmitted via a spreadsheet attached to encrypted email The is listed as MODERATE but could possibly be considered HIGH Application Name Webbased Payroll Outsourced NPPI Threat Index Criticality Impact Controls Risk Y Y H M H M M